OnGuard Agent shows ClearPass server unreachable when the client has L3 connectivity to the server.

As shown in the below screenshot, we see two authentication servers 10.17.164.156 and 10.17.164.166 in the agent.conf. When 10.17.164.156 is down or unreachable (as shown with ICMP), the OnGuard agent will try the second authentication server in the list.

Though it is reachable for the client (as shown with ICMP), OnGuard agent shows ClearPass server: None reachable. As a result health check would fail.

Solution

From the OnGuard agent logs, we would see that, when the agent is trying to connect to the ClearPass server over HTTPS, but it failed to resolve the hostname because of the blank space between first authentication server and the second one.

In this case, removing the blank space resolved the issue. By default, there will not be any space between the authentication server IP addresses in a zone. However, care must be taken while configuring override servers in the OnGuard agent settings (Naivgation: Administration » Agents and Software Updates » OnGuard Settings » Policy Manager Zones) , so that it does not have any space.